Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

3 Answers

You are misunderstanding what top does and assuming that it is like head. Even though there is a head command, it cannot be vectored like you are desiring. What you need is the dedup command. Try this:

Yes! Thank you so much! The second one worked like a charm! First one doesn't work because like I said in my other comment, some events don't have virdbver fields. The sorting of virdbver removes those events without virdbver field. Genius!

Now do you see why I said your request was "nonsensical"? The only context that you gave us was your search in which you were (MIS)using the top command. Here are your mistakes:

1: You did not take the time to clearly explain what you were trying to do.2: You made assumptions about how the top command works without reading the documentation.3: Despite many comments and answers, you did not clearly restate your desires.4: You downvoted people who were 100% correct (about your question being nonsensical).

As a result, many people wasted much time trying to help you and the worst part is that some were actually penalized for it. This is not the way to get help in the future. The bottom line is:

The BETTER QUALITY question that you ask, then quicker and better quality answers you will get. It is mostly up to you. We don't know what you mean; we have no choice but to go by what you say.

But I do have another problem. How do I move the columns?on the "rename" command, you can change/move the "order" to move the columns.rename virdbver as "AV Definitions:", devname as "Device Name:", date as "Date:", time as "Time:"

That doesn't work. As you can see from above, I've already set it to rename date as "Date:", time as "Time:", devname as "Device Name:", virdbver as "AV Definitions:" but yet, it's coming out as Device Name, Date, Time, AV Definitions.

You cannot show fields after top. This command does a statistical summary of the raw events and this process (obviously) consumes (supplants) those raw events. Think about it: If you asked "What were the top 10 most dangerous cities last year?" What "date" would you use? If your answer is 2015 then you can do this by adding | addinfo to the end of your search. This will add info_min_time and info_max_time to your search and you can do what you please with that. If you had any other answer, you are not only out of luck, but a rather strange person.

As I said, your desire is nonsensical. If you can explain a rational context for your desire (what kind of _time value makes any sense at all) then people can give you a solution that uses a stats instead of top.

I'm sorry but, I don't get you. Why is my desire nonsensical? I'm trying to Splunk to only show the highest definition value of devname and show the date and time of when it updated to said value of definition. Why is this desire nonsensical?

I understand your "What were the top 10 most dangerous cities last year?" thingy but look at it this way instead,"What's the latest AV definition on this device and when did it update?" That's what I want to know.

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here. Closing this box indicates that you accept our Cookie Policy.